Safari Forensic

Artifacts in this examination is conducted on Safari 6.0.1 running on Mac OS X 10.8 aka Mount Lion.

  • Bookmarks: /Users/<user>/Library/Safari/Bookmarks.plist
    • bookmarks (pre-defined on instalation or user-input)
  • Downloads: /Users/<user>/Library/Safari/Downloads.plist
    • Source URL
    • Destination path on system
    • Total file size
    • Download progress (in bytes)
  • Extensions: /Users/<user>/Library/Safari/Extensions/Extensions.plist
    • installed extensions
  • History: /Users/<user>/Library/Safari/History.plist
    • URL
    • visit count
    • webpage title
    • last visited timestamp (in Mac CFAbsolute Time)
    • redirected URL
    • autocomplete
  • History Index: /Users/<user>/Library/Safari/HistoryIndex.sk
  • Last session: /Users/<user>/Library/Safari/LastSession.plist
  • Local storage: /Users/<user>/Library/Safari/LocalStorage/ and /Users/<user>/Library/Safari/LocalStorage/StorageTracker.db
    • StorageTracker.db: tracks local storage files
  • TopSites: /Users/<user>/Library/Safari/TopSites.plist
    • URL
    • Webpage title
    • Last modified timestamp
  • Webpage Icons: /Users/<user>/Library/WebpageIcons.db
  • Cache: /Users/<user>/Library/Caches/com.apple.Safari/Cache.db
    • BLOB Cache data
    • URL
    • timestamp (in system time)
  • Webpage Preview (thumbnail): /Users/<user>/Library/Caches/com.apple.Safari/Webpage Previews
  • Cookies: /Users/<user>/Library/Cookies/Cookies.binarycookies

LastSessions.plist

This plist file records the current state of the browser. This plist is used to restore the state of the browser in the event that Safari browser exit unexpectedly. In my lab simulation, if Safari browser is exit as normal, there will be no entry in the SessionWindows

Browsing session ended as normal

Browsing session ended unexpectedly

TabStates records the visited webpages in the current state. Each item in the TabStates is listed as a tab in Safari.

  • TabTitle: records the title of the webpage
  • TabURL: records the visited URL of the webpage

TopSites.plist

TopSites is a feature in Safari to improve user browsing preferences. Websites are added to TopSites either by one of the 3 following ways – by default, generated by Safari based on users’ preferences, and users pinning a website to TopSites. TopSites information are stored in TopSites.plist. This Plist file stored data such as URL, title and how the sites are added to TopSites.plist. In my lab test, the following XML-tags were observed:

  • default sites: TopSiteIsBuiltIn
  • Pinned by user: TopSiteIsPinned
  • Safari-generated preference: <No tag>

Cache.db

Safari stored cache items in a SQLite file named “Cache.db”. The 2 most important tables in this SQLite file are:

  • cfurl_cache_receiver_data (BLOB data)
  • cfurl_cache_response (URL, for visited sites, timestamp on system in UTC format)

SQLite Statement to corelate BLOB data with URL, sort by timestamp:

select cfurl_cache_response.entry_ID, cfurl_cache_response.request_key, cfurl_cache_response.time_stamp, cfurl_cache_receiver_data.receiver_data from cfurl_cache_receiver_data, cfurl_cache_response where cfurl_cache_response.entry_ID == cfurl_cache_receiver_data.entry_ID order by cfurl_cache_response.time_stamp

.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s